Hello friends,

Happy Saint Patrick’s day! ☘️

Every now and then we are going to mix things up a bit with our newsletter. This week we are diverting a bit from deep security focus and reflect on a topic that, in one way or another, touches all of our lives. And one that has been on my mind recently. And that topic is leadership. It’s as relevant in security as it is in any other area- and this is not a topic you hear much commentary on in our industry.

I was a consultant for about half of my career, and through that experience and subsequent work have had the chance to see dozens of companies and hundreds of leaders operate. Though thoughtful examination of the behaviors and consequences- and the chance to work for both incredible and terrible leaders myself- I’ve formed a pretty defined conclusion of what good looks like.

This is a huge topic, and there’s far more that can be written (and more that I will write in the future), but today, wanted to share just a few thoughts. Hope you enjoy.

Cheers,

Brad

On Leadership

Let’s start off with my take on what leadership is, and what it means.

My definition: it’s the ability to authentically rally and enroll others in support of a course of action that the leader decides.

• Under this definition followership that is coerced, fear based, or rote is not real leadership. That’s just leverage of a role. And leadership is not management; though those two words are often used interchangeably.

• What it looks like:

  • Sustained energy- the momentum doesn’t quickly fade

  • Magnetism- people are naturally drawn in

  • Respect, not fear

A few things I’ve learned in my travels:

1) Leadership is a behavior, not a role

It’s cliché, but it’s true. Anyone can lead. Senior executives, military commanders, politicians- all are expected to lead. It’s part of their job description. But many don’t. They are content to drift with tides, to come to meetings, to execute as a cog in a machine. Many simply leverage their position to order, command. They lean on hierarchy and systems of authority to get things done.

That’s not leadership.

Leadership happens when people take initiative and others follow. I know of so many amazing people that I’ve met in my career that are leaders in the informal sense. The people that others look to for advice and counsel. The ones that always end up making the suggestions that end up getting carried out. The ones that form the cultural nucleus of their team or department. The ones that so many other people respect.

2) Trust is the currency of leadership

I’ve seen so many people in executive roles that are ineffective leaders because they do not know how to build relationships of trust. They may know how to command a room, or look the part of a CEO, or talk tough- but when it comes down to it they fail to build trust with their teams, and then by extension, the organization.

Trust creates security, and security creates the conditions for people to lean in and take risks.

People want to be secure. They want to be heard and seen. They want to be respected. Leaders that make people feel those things build trust.

3) The winning combo of traits: security, authenticity, humility, intelligence and willingness to take risks

In my travels- there’s one type of leader that consistently stands out. These people know themselves, are aware of their strengths and weaknesses, are constantly looking to learn and grow, are comfortable in their own skin, and willing to take initiative and risk.

They treat others with respect. They are approachable. But they are also impressive. And that combination of skill plus humility draws people into their circle.

More Bob Iger, less Elon Musk. More Zelensky, less Putin.

This does not mean that other styles of leadership can’t be situationally effective (for instance, the leadership style during an acute turnaround is definitely going to need to be harder edged). 

It also doesn’t mean that other styles of leadership can’t get amazing results (as Musk has proven again and again). But in my experience, this combination persistently works well for most contexts and allows an organization to attract and retain awesome people, which helps create a great culture.

4) People often have serious mis-reads on leadership

Initial impressions can be flat out wrong. Boards frequently hire people into CEO roles that cut the part but are actually terrible leaders. 

Sometimes it can take a lot of exposure and time to realize underlying issues like narcissism or insecurity that cripple decisions (you will often see people like this promote people they can control and alienate those that are more skilled but seen as less pliant).

For high stakes leadership decisions, deep psychological profiles are worth the investment.

5) If you aren’t born with the gene, you can still lead

Many great leaders are just born with it. But even if this doesn’t come naturally to you, many leadership traits can be built over time. 

Practice:

• Creating a safe environment for feedback and taking it to heart 

• Stepping up when there is a vacuum

• Choosing to take measured risks that you wouldn’t otherwise typically do, and seeing how it feels

• Always listening before speaking

• Identifying ways that you show up that aren’t the real you, and putting them off to the side

Tools, resources, and useful things from the internet

0️⃣Most of the time ‘zero trust’ is mentioned it’s in the context of a vendor trying to seem like something more than what they are. But it’s a very real, and very important concept. The NSA just released excellent guidance from an IAM perspective on how to think about the ZT maturity journey.

💡Brian Krebs’ analysis of the new national cybersecurity strategy.

💼A reflection on the business case for cybersecurity through the lens of brand (Entrepreneur)

News

🪟Big Microsoft patch Tuesday. 80 patches, eight critical, and one dealing with a vulnerability being exploited by Russian APT28. (Bleeping Computer)

💼The SEC is pushing to broaden cybersecurity disclosure rules for investment funds and advisors, requiring them to report cyberattacks to the SEC within 48 hours and requiring board approval of security plans. One can imagine this is a beachhead requirement for further regulation. (WSJ)

📢CISA has announced a new ransomware vulnerability warning pilot program, with a focus on critical infrastructure. (CISA)

🤖GPT-4 is out and available for testing. A good take from NYT on its strengths and the risks it poses. (NYT)

🪟Microsoft has announced GPT integration into Office, called co-pilot. It also trains on unique organizational data to create discrete models. Does anyone else think this may create an issue of potentially revealing sensitive information inside an enterprise? (Microsoft)

🦹Mandiant is seeing a new wave of attacks from China targeting vulnerabilities in firewalls and other security devices (WSJ)

Jobs to check out

This week we are featuring SOC analyst roles.

💼EMC Insurance. Security Operations Specialist (Des Moines, IA)

💼Equitable. Security Operations Analyst (Remote)

💼Alma. Senior Security Operations Analyst (Remote)

💼Paccar. Security Operations Analyst (Renton, WA)

💼Sherwin- Williams. Senior SIEM Analyst (Cleveland, OH)

💼Unum. Senior SOC Analyst (Portland, ME or Chattanooga, TN)

💼Nokia. SOC Analyst (Dallas, TX)

💼Bank OZK. SOC Analyst (Little Rock, AR)

Events

💼ISC West. Las Vegas, NV. March 28-31

💼B Sides Tampa. April 1

💼B Sides San Diego. April 8.

💼B Sides Salt Lake City. April 14- 15.

💼B Sides New York. April 22.

💼RSA. San Francisco, CA. April 24-27.

Stat of the week

2%

Amount of posted cybersecurity jobs that don’t require previous work experience (our analysis)

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line